Offline bruteforce attack on WiFi Protected Setup

425,141 views
432,284 views

Published on

Offline bruteforce attack on WiFi Protected Setup

Published in: Technology
1 Comment
52 Likes
Statistics
Notes
  • I have made a modification in reaver to automatize the process, here is the github - https://github.com/t6x/reaver-wps-fork-t6x
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
425,141
On SlideShare
0
From Embeds
0
Number of Embeds
298,593
Actions
Shares
0
Downloads
1,020
Comments
1
Likes
52
Embeds 0
No embeds

No notes for slide

Offline bruteforce attack on WiFi Protected Setup

  1. 1. Offline bruteforce attack on WiFi Protected Setup Dominique Bongard Founder 0xcite, Switzerland @reversity
  2. 2. §  Protocol aiming at easily connecting to protected WiFi networks §  Two main modes: Push-Button and 8 digit PIN code §  Gives the WPA passphrase to stations providing the right PIN §  Poor design and implementation
  3. 3. Stefan Viehböck
  4. 4. Stefan Viehböck
  5. 5. §  Brute force each half of the PIN §  Maximum 10‘000 tries + 1‘000 tries §  No limitation on number of tries in many AP §  Takes a few hours (depends on the AP) §  Largely slowed down in new devices (lock-out) §  Many AP still sold with WPS PIN activated
  6. 6. STA Nonce E-Hash1 E-Hash2 HMAC AES(HMAC(PIN1),E-S1) AES(HMAC(PIN2),E-S2)
  7. 7. §  If we can guess E-S1 and E-S2, we can the brute force PIN1 and PIN2 offline! §  Pixie dust attack!
  8. 8. §  Usually with pseudo-random generators (PRNG) §  Often insecure PRNG §  No or low entropy §  Small state (32 bits) §  Can the PRNG state be recovered ?
  9. 9. int rand_r( unsigned int *seed ) { unsigned int s=*seed; unsigned int uret; s = (s * 1103515245) + 12345; // permutate seed uret = s & 0xffe00000;// Only use top 11 bits s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfffc0000) >> 11;// Only use top 14 bits s = (s * 1103515245) + 12345; // permutate seed uret += (s & 0xfe000000) >> (11+14);// Only use top 7 bits retval = (int)(uret & RAND_MAX); *seed = s; return retval; }
  10. 10. AP Nonce Description PK
  11. 11. §  Linear Congruential Generator §  32 bits state §  No external entropy §  E-S1 and E-S2 generated right after the Nonce
  12. 12. §  Do the WPS protocol up to message M3 §  Get the Nonce from M1 §  Bruteforce the state of the PRNG §  Compute E-S1 and E-S2 from the state §  Decrypt E-Hash1 and E-Hash2 §  Bruteforce Pin1 and Pin2 §  Do the full WPS protocol and get the passphrase
  13. 13. §  Linear Feedback Shift Register (LFSR) §  Broken §  Doesn‘t matter the keys are always NULL !!
  14. 14. §  Some AP have the same state at each boot §  Make a list of common states after reboot §  Attack the AP right after boot
  15. 15. §  Trigger the breakers §  DDOS the AP §  Jam the signal until the target reboots the AP
  16. 16. §  Looks okay §  Uses /dev/random §  Found in Atheros SDK §  But you never know §  Several papers attack the entropy of the linux PRNG in embedded systems
  17. 17. §  It‘s complicated §  Many of the implementations are the reference code for the chipset §  Only the GUI is reskinned §  Therefore many brands are affected §  Many vendors use different chipset §  Even for the same model number
  18. 18. §  Disable WPS now ! §  Reverse engineers: Check other AP for bad PRNG §  Cryptographers: Check if good PRNG are okay

×